#!

###########################
# Firewall Settings Policy
###########################
#
# Used as refrence to existing KMU Example Firewall Policy Rules
#

config firewall policy
    edit 1
        set global-label "<-- Allow Incoming Traffic IPSEC-VPN gr-ipsec-fc-vpn -->"
        set srcintf "ipsec-fc"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-ip-pool-ipsec-fc-vpn-198.18.1.128-25"
        set dstaddr "net-mydomain1-lan-198.18.0.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming IPSec Connection (Aggresive Mode) FortiClient Windows, Mac and Android mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 2
        set global-label "<-- Allow Back Traffic IPSEC-VPN gr-ipsec-fc-vpn -->"
        set srcintf "internal1"
        set dstintf "ipsec-fc"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24"
        set dstaddr "net-mydomain1-ip-pool-ipsec-fc-vpn-198.18.1.128-25"
        set action accept
        set status disable
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Back IPSec Connection (Aggresive Mode) FortiClient Windows, Mac and Android mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 3
        set global-label "<-- Allow Incoming Traffic IPSEC-VPN gr-ipsec-ios-vpn -->"
        set srcintf "ipsec-ios"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-ip-pool-ipsec-ios-vpn-198.18.4.0-25"
        set dstaddr "net-mydomain1-lan-198.18.0.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming IPSec Connection (Aggresive Mode)  IPhone, IPad Native IPsec Client mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 4
        set global-label "<-- Allow Incoming Traffic IPSEC-VPN gr-ipsec-cisco-vpn -->"
        set srcintf "ipsec-cisco"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-ip-pool-ipsec-cisco-vpn-198.18.5.0-25"
        set dstaddr "net-mydomain1-lan-198.18.0.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming IPSec Connection (Main Mode)  Cisco Native IPsec Client mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 5
        set global-label "<-- Allow Back Traffic IPSEC-VPN gr-ipsec-cisco-vpn -->"
        set srcintf "internal1"
        set dstintf "ipsec-cisco"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24"
        set dstaddr "net-mydomain1-ip-pool-ipsec-cisco-vpn-198.18.5.0-25"
        set action accept
        set status disable
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Back IPSec Connection (Main Mode)  Cisco Native IPsec Client mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 6
        set global-label "<-- Allow Incoming Traffic IPSEC-VPN gr-ipsec-l2tp-vpn -->"
        set srcintf "intf-l2tp"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "L2TP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming IPSec Connection (Interface Mode)  L2TP IPsec Client mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 7
        set srcintf "intf-l2tp"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-ip-pool-ipsec-l2tp-vpn-198.18.4.128-25"
        set dstaddr "net-mydomain1-lan-198.18.0.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming IPSec Connection (Interface Mode)  L2TP IPsec Client mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
    next
    edit 8
        set global-label "<-- Allow Incoming Traffic SSL-VPN gr-ssl-vpn Tunnel/Portal -->"
        set srcintf "ssl.root"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-ip-pool-ssl-vpn-198.18.1.0-25"
        set dstaddr "net-mydomain1-lan-198.18.0.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set groups "gr-ssl-fc-tunne-vpn-mydomain1.local" "gr-ssl-fc-web-vpn-mydomain1.local"
        set comments "Allow Incoming SSL VPN Tunnel Connection mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 9
        set global-label "<-- Allow Incoming/Outgoing --> MX Exchange Server"
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-25"
        set action accept
        set schedule "always"
        set service "SMTP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming SMTP MX Exchange Server mydomain1-sg0e0"
        set scan-botnet-connections block
        set av-profile "mydomain1-default.local"
        set spamfilter-profile "mydomain1-default.local"
        set ips-sensor "mydomain1-prot-exchange.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 10
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "host-mydomain1-198.18.0.92-32"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "SMTP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgong SMTP MX Exchange Server mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next 
    edit 11
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-995"
        set action accept
        set schedule "always"
        set service "POP3S"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming Client Exchange Server mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set global-label "<-- Allow Incoming --> Exchange Client"
    next
    edit 12
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-993"
        set action accept
        set schedule "always"
        set service "IMAPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming Client Exchange Server mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 13
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-465"
        set action accept
        set schedule "always"
        set service "SMTPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming Client Exchange Server mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 14
        set global-label "<-- Allow Incoming/Outgoing --> ActiveSync"
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-443"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming ActiveSynch (No Auth/Cert) mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 15
        set global-label "<-- Allow Incoming/Outgoing Voip SIP --> Without Filter"
        set srcintf "wan1"
        set dstintf "internal1"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "nat-ip-mydomain1-1.1.1.1-32-port-5060"
        set action accept
        set status disable
        set schedule "always"
        set service "SIP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Incoming Voip/SIP Without Filter Connection mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
    next
    edit 16
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "host-mydomain1-198.18.0.94-32"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set status disable
        set schedule "always"
        set service "SIP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Voip/SIP Without Filter Connection mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 17
        set global-label "<-- Stealth Rule -->"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "net-mydomain1-all-0.0.0.0-00"
        set dstaddr "gr-mydomain1-fw-interface"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "STEALTH RULE (no more access to FW Interfaces) mydomain1-sg0e0"
    next
    edit 18
        set global-label "<-- Disallow Outgoing Traffic For Specific Service -->"
        set srcintf "internal1" "only4internal"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24" "net-ssid-only4internal-198.18.2.0-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set schedule "always"
        set service "POP3" "SMTP" "IMAP"
        set logtraffic all
        set comments "Disallow Outgoing POP3 SMTPSIMAP Connection mydomain1-sg0e0"
    next
    edit 19
        set global-label "<-- Allow Outgoing Traffic SSID only4guest --> With Filter"
        set srcintf "only4guest"
        set dstintf "wan1"
        set srcaddr "net-ssid-only4guest-198.18.2.128-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTP" "FTP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4guest mydomain1-sg0e0"
        set webfilter-profile "mydomain1-default.local"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 20
        set srcintf "only4guest"
        set dstintf "wan1"
        set srcaddr "net-ssid-only4guest-198.18.2.128-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4guest mydomain1-sg0e0"
        set webfilter-profile "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set ssl-ssh-profile "mydomain1-url-scan.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 21
        set srcintf "only4guest"
        set dstintf "wan1"
        set srcaddr "net-ssid-only4guest-198.18.2.128-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4guest mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 22
        set global-label "<-- Allow Outgoing Traffic SSID only4internal --> With Filter"
        set srcintf "only4internal"
        set dstintf "wan1" "internal1"
        set srcaddr "net-ssid-only4internal-198.18.2.0-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTP" "FTP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4internal mydomain1-sg0e0"
        set scan-botnet-connections block
        set av-profile "mydomain1-default.local"
        set webfilter-profile "mydomain1-default.local"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 23
        set srcintf "only4internal"
        set dstintf "wan1" "internal1"
        set srcaddr "net-ssid-only4internal-198.18.2.0-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4internal mydomain1-sg0e0"
        set webfilter-profile "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set ssl-ssh-profile "mydomain1-url-scan.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 24
        set srcintf "only4internal"
        set dstintf "wan1" "internal1"
        set srcaddr "net-ssid-only4internal-198.18.2.0-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic for SSID only4internal mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 25
        set global-label "<-- Allow Outgoing Traffic POP3S SMTPS IMAPS --> Without Filter"
        set srcintf "internal1" "only4internal"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24" "net-ssid-only4internal-198.18.2.0-25"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "POP3S" "SMTPS" "IMAPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing POP3S SMTPS IMAPS Connection mydomain1-sg0e0"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 26
        set global-label "<-- Allow Outgoing Traffic HTTPS --> With Filter URL Scan only"
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic at all mydomain1-sg0e0"
        set webfilter-profile "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set ssl-ssh-profile "mydomain1-url-scan.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 27
        set global-label "<-- Allow Outgoing Traffic HTTP FTP Traffic --> With Filter"
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "HTTP" "FTP"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic at all mydomain1-sg0e0"
        set scan-botnet-connections block
        set av-profile "mydomain1-default.local"
        set webfilter-profile "mydomain1-default.local"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
    edit 28
        set global-label "<-- Allow Outgoing Traffic All --> With Filter"
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "net-mydomain1-lan-198.18.0.0-24"
        set dstaddr "net-mydomain1-all-0.0.0.0-00"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "Allow Outgoing Traffic at all mydomain1-sg0e0"
        set dlp-sensor "mydomain1-default.local"
        set application-list "mydomain1-default.local"
        set profile-protocol-options "mydomain1-default.local"
        set nat enable
        set ippool enable
        set poolname "dst-nat-ip-mydomain1-1.1.1.1-32"
    next
end